Data retention policy
Records Retention
Records, documents or correspondence other than Company Records and Archival Records should be disposed of when they are no longer needed for active use by those who possess them.
Departments, units and individuals that are not Official Repositories but who possess copies of one or more Company Records are not responsible for retaining the records for the retention period and should dispose of the records when the records are no longer in active use.
Suspension of Record Destruction
If the Office of Counsel communicates the need to suspend record destruction, destruction must be suspended immediately. Destruction or alteration of any record, in whatever form, that relates to pending or threatened litigation or government investigation, or that relates to any matter about which litigation or investigation is reasonably foreseeable, is prohibited by this policy and can result in termination, civil and/or criminal liability.
Electronic Records and Email
This policy applies equally to records that exist in electronic or paper form. It is the content and function of an email message or electronic record that determines its retention period. Users should retain or dispose of electronic records according to the requirements of the applicable retention schedule attached to this policy just as they would paper records.
Company Records kept in electronic form must be stored on network servers, not individual computer or other device hard drives. Consistent with the Company’s Information Technology Policy, each Company Record should be stored in a manner that is accessible by more than one authorized user of the Record, so that the Record remains accessible in the absence of one of those users.
Generally, Company records should not be kept in email. The Company’s email system is not intended for record keeping or storage purposes. If an email or attachment to an email contains a document that must be retained under this policy, the user must assure that the record is kept in the file or database in which records of the same type generally are kept.
Any email whose function or content does not require retention for any period under this policy and that is not important to ongoing Company business should be routinely disposed of as soon as possible after it is read. This includes, but is not limited to, transitory communications to set up meetings, notices or correspondence concerning a subject not identified on the retention schedule and emails about personal matters.
This policy applies to all electronic documents and email that is pertains to the business of the Company created by Company employees. Work-related email should be received and sent through each employee’s official Company email account. Employees who forward email that might constitute a Company Record to non-Company databases or email accounts must set up forwarding in a way that does not result in the automatic deletion of email from the Company-based system. Exclusive use of outside email services to conduct Company business that does not involve routing email through Company systems is prohibited.
Data archiving and removal policy
Record Destruction
When records are no longer required to be retained under this policy and are no longer in active use, they should be destroyed or discard.
Paper:
Discard all non-confidential paper records, preferably in recycle bins. Shred or otherwise render unreadable confidential paper records.
Electronic:
Non-confidential electronic records may be deleted with simple file or email delete commands. Confidential records stored in Company Data Centers also may be disposed of in this manner.
Confidential electronic records that have been stored outside of Company Data Centers, for example, on departmental file servers or desktop computers or CDs must be securely disposed of. This is typically done by overwriting the record or by physically destroying the media on which the record is stored. Contact Company IT or Information Systems Division for additional information on secure disposal methods for electronic data.
Email Management Guidelines
The following email management guidelines should be followed:
Consider alternatives to attaching files to email, such as sharing files by putting them on a shared data site (access-restricted where appropriate). They will be just as available for most people and the files can be any size or type.
Limit use of “reply all” to those who really need to be involved in the continued discussion
Organize your messages in appropriately named folders. Such a practice simplifies knowing when to safely delete messages and folders.
Sent Messages. By default, copies of email messages sent to other people are usually kept in a folder for sent items. These files should be reviewed periodically, with records stored according to the records retention policy and non-business records deleted. Some email systems allow automatic deletion of sent messages, which option should be activated.
Clear out copies of deleted messages periodically. In many email systems, when a message is removed from the inbox, sent mail folder or other folder, it is not deleted completely from the system. If possible, set your email system to automatically delete deleted items daily.
Use spam filtering to reduce unnecessary email.
Data storage policy
SoapBox’s physical servers are located in a certified and compliant SSAE-16 Type-II/SAFE HARBOR/SOC-2 facility operated by Amazon Inc. via Amazon Web Services.
SoapBox’s operational data is stored in a virtualized environment on servers
located at the AWS N. California cluster of facilities within a VPN.
Backups of SoapBox’s operational data are created daily and stored offsite encrypted using 1024bit PGP encryption within an Amazon run facility. A rolling 30 days worth of backups are stored in the offsite location.
Static files uploaded by users are stored in the United States on Amazon’s AWS S3 infrastructure.
Email is delivered through an American email provider, SendGrid, located in Boulder, Colorado. SendGrid ensure traffic gets delivered through spam filters via safe IP addresses.
Users access SoapBox through their Internet browser. Data is forced to travel encrypted via SSL using the TLS 2.1 and 3.1 protocols.
Analytics tracking is being used to help monitor and provide product insights to better the SoapBox services. Analytics platforms being used are: Google Analytics, Mixpanel, Segment.io, Intercom and Fullstory.
Data center location(s)
United States
App/service has sub-processors
yes
Guidelines for sub-processors